Storing the password in plain-text
in the database/file is not the correct way; the attacker can easily recover if
he has access to the password resources.
Hashes are one-way functions that
generate a representation, usually a number, of the data put in to them. If the
hackers aware about the hashing function which you have used then they can find
the actual password. Salting passwords address that problem.
Example for hashing is converting all the characters in the
string to their numeric values, and exclusive-or the binary representation of
these bits.
Salt is random data that are used
as an additional input to a one-way function that hashes a password or
passphrase. A new salt is randomly generated for each password.
Different mechanism can use for the salt key.
·
Always use a fixed salt string
·
Use a random piece of data for each password
·
Salt on meta-data – Person’s birth-day can be
used for this scenario. You can see the bank statement opening the PDF file
this kind of mechanism implemented.
What salt is doing is, effectively increase the amount of
effort needed to break the password.
How to implement
o
Generate a random salt value
o
Concatenate the password and the salt
o
Hash the concatenated result (password + salt)
o
Store the hash and the salt (in db or file).
o
Implement password verification.